Network Intrusion Encounters and Countermeasures

Network Intrusion Encounters and Countermeasures

Network intrusion threats ran rampant and unchecked on the internet, invisible to most users. You may see no apparent signs of the automatic probes directed at your computer network, arriving around the clock, scanning for potential entry points. But they are occurring, maybe right now. Any exposed service may be expected to be quickly discovered and subjected to attack.

I get a good look at these threats by way of the access logs of the shell service which I make available to the internet from a Linux development server on my home network. On a daily basis I log quite a few attempts to gain unauthorized access. In these attacks, would-be intruders try hundreds of guessed login/password combinations from a pre-populated list of default, common, and easy-to-guess access credentials – an extremely effective methodology known as a dictionary attack, specifically in this case, an SSH scan. In the initial hours of operation alone, I logged three rounds of scans: 627 rejected login attempts over 49 minutes from a rogue IP address in Sichuan province, China; 110 similar attempts over 8 minutes from an IP tracing to Brussels, Belgium; and 187 attempts over 13 minutes from yet another source IP, this one from Beijing, China.

Network intruders are motivated by the possibility of obtaining valuable data, vandalizing installations, spreading spam, or using your endpoint as an intermediate staging ground to mount new attacks. Probes and scans are ongoing at all hours and originate from anywhere on the globe. There may be no visible signs of these threats to most users, who by and large have come to be shielded from unsolicited remote network traffic by the prevalence of hardware firewall/routers. However, exposure can easily be realized, either through deliberate configuration when there is a justification, or by accidental configuration or unknowingly as in when you wirelessly network a laptop at an airport or hotel. (Or consider the alternative vector of attacks mounted from a privileged network posture by a rouge agent wirelessly associated with your wide open, unsecured wi-fi access point.)

In the meantime, network intrusion detection and prevention countermeasures are wholesale absent from default installations, making for shallow security. Dictionary attacks running without limitation into the hundreds of attempts pose a fairly horror-inspiring risk gap, even in the presence of good passwords and patch levels. The hack-tool wielding communities of China and Belgium, apologies, are not counterparties with which I would rest particularly well while allowing unrestricted tries at my login, presumed unguessable or not. The observed dictionary attack could also be stage one of a cascade or package of intrusion attempts against other components to follow. An inexperienced operator throwing their fresh, as in my example, Ubuntu 8.04LTS server up on the internet for SSH access would be exposed to the full extent of this risk. One exposing Windows Terminal Services to the world would be likewise exposed to the full unmitigated extent (see below).

Closing the risk gap requires an active detection-response countermeasure that recognizes attacks as soon as they commence and cuts them short. Different situations call for different solutions; in the case of my example Ubuntu server, a few add-on packages fit the bill, among which I ended up installing fail2ban. fail2ban actively monitors access logs and blacklists intruders from all network activity via the iptables packet filtering framework in the kernel as soon as they are recognized. This functionality critically backstops other, statically configured countermeasures, yielding the intruder as few penetration attempts as possible, suppressing the threat, providing defense in depth.

Why fail2ban or another package like it is not an automatically implied dependency of Ubuntu’s SSH server install preset is a mystery to me; it shows that you cannot be complacent. Never enter haphazardly into any configuration that substantially lowers your overall security posture to the untrusted network. The threat assessment is more dire than you may realize. Consider where your perimeter defenses may be in want of reinforcement.